b'            AUDIT REPORT \n\n        INFORMATION SYSTEM CONTROLS \n\nAT THE NATIONAL MUSEUM OF AMERICAN HISTORY, \n\n              BEHRING CENTER \n\n\n                Number A-04-02\n\n                 June 16,2004\n\x0c                                      SUMMARY \n\n\nThe Office of the Inspector General audited information system controls at the National\nMuseum of ~ m e r i c a nHistory, Behring Center (NMAH). The purpose of the audit was to\nevaluate NMAH information system controls for system access, server and database\nconfigurations, and network security.\n\nTwo points were considered throughout our audit: (1) Adequate security of information\nand the systems that process it is a fundamental management responsibility. (2)\nManagement must, of necessity strike a reasonable balance between information\ntechnology security and operational capability because some controls impede operations.\n\nSmithsonian policy, requires managers to establish adequate controls to maintain\naccountability for the custody and use of resources and to provide reasonable assurance\nthat assets are safeguarded against loss or unauthorized use. Overall, NMAH did have\nsystem backup security controls in place. However, we determined that NMAH system\nsecurity configurations and safeguards were inadequate and that the risk to system access\nand data integrity was high. During our audit, NMAH management reviewed system\naccounts, made changes, and began reviewing configuration deficiencies identified during\nthe audit.\n\nWe made recommendations to improve systems security and general system controls at\nNMAH. The recommendations included performing reviews of system configurations;\nremoving unnecessary accounts; developing plans to address identified system security\nweaknesses; and establishing policies and minimum technical configuration guidance for\nserver operating systems, web server applications, and databases. Management agreed\nwith the recommendations and planned actions are responsive to the recommendations.\n\x0c                                                TABLE OF CONTENTS\n\n\n\n1. Introduction .....................................................................................................................................1 \n\n\n       A. Purpose ................................................................................................................................. 1 \n\n\n        B. Scope and Methodology .........................................................................................................1 \n\n\n       C. Background.............................................................................................................................1 \n\n\n2 . Results of Audit ................................................................................................................................2 \n\n\n        Review of NMAH Information System Security .......................................................................2 \n\n\nAppendix A. Policies and Industry Standards....................................................................................7 \n\n\nAppendix B. Glossary...........................................................................................................................9 \n\n\nAppendix C. Management Comments .............................................................................................10 \n\n\n                                            ABBREVIATIONS AND ACRONYMS \n\n\n                   NIST                             National Institute of Standards and Technology\n                   NMAH                             National Museum of American History. Behring Center\n                   SANS                             System. Audit. Network. Security Institute\n\x0c                                   INTRODUCTION\n\nA. Purvose\n\nThe purpose of the audit was to evaluate NMAH information system controls for system\naccess, server and database configurations,and network security.\n\nB. Scope and Methodolow\n\nThe audit was conducted from November 14,2003, to May 7,2004, in accordance with\ngenerally accepted government auditing standards. The audit methodology consisted of\nthe following:\n\n       Identifying and reviewing applicable Institution policies and procedures related to\n       system general controls, computer system security, and integrity of computer\n       resources.\n       Comparing NMAH system security settingswith industry and Institution\n       standards.\n       Evaluating controls meant to safeguard and protect networks.\n       Assessing the adequacyof controls meant to prevent and detect unauthorized\n       activities.\n       Utilizing guidance issued by the National Institute of Standards and Technology\n       (NIST),National SecurityAgency, Oracle Corporation, and Microsoft\n       Corporation relating to system security configuration.\n\nOur review also included interviewswith NMAH technology staff, through which we\ngained an understanding of the practices employed concerning system configuration,\nnetwork security, and system access.\n\nC. Background\n\nThe NMAH opened to the public in January 1964as the Museum of History and\nTechnology. NMAH\'s basic mission is the collection, care, and study of objects that\nreflect the experience of the American people.\n\x0c                                         RESULTS OF AUDIT\n\nReview of NMAH Information System Securitv\n\nNMAH systems security can be strengthened to prevent unauthorized access. Specifically,\nopportunities exist to strengthen controls over network access, server operating systems,\ndatabases, and web server applications security configurations and settings. This\ncondition exists because of a lack of specific system configuration standards and\ninadequate NMAH information technology staff resources to address system security\nweaknesses. As a result, NMAH information systems are vulnerable to unauthorized\naccess and the integrity of its data could be compromised.\n\nNetwork Access\nWe scanned external and internal network ports and services of NMAH servers as part of\naccess control testing. Internally, we also scanned and performed limited penetration\ntesting of NMAH client workstations. In addition, we assessed the server operating\nsystems, databases, and web server applications against industry guidance and\nconfiguration standards.\' From these assessments, we determined that configurations\nshould be modified to meet minimum industry recommended security configuration\nstandards. Also, we performed scans of 13 NMAH servers. Externally, we were\nunsuccessful in identifying the specific ports and services at the time we conducted our\ntests for these servers. Our internal network scans, however, did find some open ports\nwith available services that could be vulnerable. Our scans of client workstations\ndiscovered vulnerabilities. One in particular allowed access to sensitive data such as\npersonnel, marketing, and sponsor fundraising information.\n\nAnalysis of the 13 internally scanned servers revealed 21 security holes and 47 security\nwarnings.3 The major ports and services include NetBIOS, Simple Network Management\nProtocol, OpenSSL, and File Transfer Protocol. The NetBIOS service, for example, is\nrecognized as a common Windows operating system weakness. We were able to identify\neight of nine Windows servers which had enabled the NetBIOS protoc01.~According to\nindustry standards, enabling default Microsoft Windows NetBIOS over certain networks\npermits the server storage drives to be easily shared and accessible. Sharing drives across\nnetworks is not recommended, unless necessary, because it can permit unauthorized and\nundetected access to information. In addition, according to the System, Audit, Network,\nSecurity Institute (SANS), NetBIOS and Simple Network Management Protocol are two\nof the top 20 most critical Internet security vulnerabilities because they disclose\ninformation such as server services, account names, and passwords.\n\nThrough our access control testing we were successful in exploiting the NetBIOS\nvulnerability for seven of the eight NMAH Windows servers and numerous work stations.\nOf the seven Windows servers, we were able to obtain 29 system administrative password\n\n\' Appendix A contains a summary of policies and industry security standards used during this audit.\n  The 13 NMAH servers consist of 9 Windows and 4 Netware operating system servers. We were unable\nio discover vulnerabilities with the Netware servers and concentrated on the Windows servers.\n\'A security hole is a security weakness that permits a computer intruder to get instant access to read any file\nor walk through the file system. A security warning is a weakness that can be exploited in conjunction with\na vulnerability.\n  NetBIOS is part of the Windows networking technology and represents a large share of common network\nlevel exploits that includes the sharing of files across a network.\n\x0caccounts. Once we had obtained these accounts, we were able, without authorization, to\ngain access to the server and the files and directories that contained the Collection\nManagement Database and an NMAH financial system database. A review of the\npassword files determined that some of the passwords were not in compliance with\nInstitution complexity policies, which require the passwords to be at least eight characters\nand contain a combination of alphanumeric characters and a special character5. For\nexample, one particular system backup account provided access to most of NMAH\nservers by itself. Also, the default administrative account was often not renamed as\nrequired by Institution policy and industry guidance.\n\nSewer Operating Systems\nWe compared server operating system and database configurations and settings against\nindustry standards and guidance. We concentrated on six of the nine Windows servers.\nWe encountered technical difficulties in executing scripts against the remaining three\nWindows server^.^ NMAH had not enabled some of the Windows servers as new\ntechnology file systems (NTFS) for three of its servers (AHBFMS, MIMSYWEB, and\nNMAH-312688). Instead, the servers were using the file allocation table (FAT).\n\nThe new technology file system offers extensive security permissions and auditing features\nthat can be customized at the file and directory levels, as opposed to the file allocation\ntable, which does not permit full utilization of these advanced security features. As a\nresult, we were unable to fully assess the operating system configurations. Windows new\ntechnology file system is the file system recommended by the National Institute Standards\nand Technology (NIST) for Windows operating systems because of the additional security\nsettings it offers. In addition, our assessments revealed that operating system patches and\nhot fixes were not up to date.\n\n\n\n\n Special characters are key board characters such as !a#$%/\'&*().\n A script is a file that is executed on a computer that will automatically gather certain settings and\nconfigurations. These data are further analyzed for comparison to industry system security standards.\n\n\n                                                     3\n\n\x0cThe following table summarizes our assessment of the NMAH Windows operating\nsystems.\n\n\n\n\n             Passed and NA         30%           2 3%             30%            30%            31O\n                                                                                                  h                 2 1%\n                       Failed      70%           77%              70%            70%            69Oh                79%\n Tests Failed by Risk\n Levels\n      High (b)                        8            8               8               a              7                  8\n    Medium (c)                       11           15              12              12             13                  15\n      Low (d)                       -\n                                    30            31\n                                                  A               29\n                                                                  -               -\n                                                                                  29             -\n                                                                                                 28                 -\n                                                                                                                    32\n Total                              49            54              49              49             48                  55\n a.   Non-Applicable are tests that were not applicable to the type of server beingreviewed.\n b.   High (Excessive Risk) Risk is high enough to cause a business disruption if exploited.\n c.   Medium (Moderate Risk) Risk in conjunction with another event couldcause a business disruption ifsxploited,\n d.   Low (Low Risk) Risk can cause operational annoyance, or inefficiencies if exploited.\n\n\n\nDatabase Applications\nWe determined that two NMAH Oracle databases contained numerous administrative\ndefault installation accounts, passwords, user profiles, and assignments.\' These\nadministrative accounts provide the access and ability to modify and delete database\ninformation. According to industry standards and Institution policy, default accounts or\npasswords should be removed, renamed, or changed. Also, some accounts were unknown\nto NMAH technology staff, and other accounts represented users who have left the\nInstitution but whose accounts and system access were still enabled.\n\nWeb Server Applications\nWe compared web server application configurations with industry standards. NMAH\nuses both Internet Information Systems and Apache for their web server applications.\'\nWe determined that three NMAH web servers had significant weaknesses: they were not\nconfigured and updated to the most current versions; they contained questionable\ninstalled protocols such as NetBIOS; they contained default installation files and\ndirectories; and they contained default accounts with anonymous access privileges. NIST\n\nI\n  These databases are used to support the NMAH collection system (MIMSY) and the NMAH financial\nmanagement system (FMSWEB).\n8\n  Web server applications are used for computers that are used for internet purposes.\n\n\n                                                              4\n\x0crecommends that default installation files, directories, accounts, and anonymous access\nprivileges be removed. Finally, the current configuration of these three web servers allows\nunauthorized users the ability to obtain file and directory locations.\n\nWe believe NMAH system security weaknesses result from the lack of Institution-specific\ntechnical baseline configuration standards and guidance, as well as from the lack of\nresources (staff and budgetary) necessary to support the NMAH\'s technology needs. The\nInstitution has not issued policies or minimum technical configuration guidance for\nservers and databases for most versions of Windows operating systems, web server\napplications, and databases. In addition, within the last two years NMAH information\ntechnology administrative staff was reduced and reassigned to the Office of the Chief\nInformation Officer. The staff position was not replaced, and according to NMAH\ninformation technology staff, the responsibilities for this position are still needed to\nmaintain NMAH systems up to date and configured correctly. Also, some of the system\nweaknesses were known and have not been addressed due to budgetary constraints. For\nexample, a security remediation plan for the NMAH Collection Management System\nserver is specifically part of the annual security budget request to the Office of\nManagement and Budget. The remediation plan outlines the system weaknesses and\nrecommended solutions.\n\nAccording to industry security standards, inadequate access controls diminish the\nreliability of computerized data and increase the risk of destruction or inappropriate\ndisclosure of data. With the weaknesses our audit identified, NMAH information system\nresources are vulnerable to network and server business disruptions; potential data\nintegrity compromises for its major databases; compromises of personnel, marketing,\nfundraising and donor information; and loss of web services.\n\nConclusion\n\nBased upon our system configuration and network analyses, we believe that NMAH can\nimprove system security by introducing an assessment process into its information\ntechnology administration. Implementing security assessments and performing periodic\nreviews can identify risks, thereby limiting vulnerabilities and preventing system\ncompromises.\n\nRecommendations\n\nWe recommended that the Director, National Museum of American History, Behring\nCenter ensure that his staff:\n\n    1. \t Perform periodic reviews of server security configurations to ensure patches and\n       hot fixes are up to date for operating systems, web server applications, and\n       databases.\n\n    2. \t Establish a process to ensure that unnecessary accounts are removed expeditiously\n       from system resources.\n\n    3. \t Perform regular network scans of NMAH networks to identify and close \n\n       unnecessary ports and services. \n\n\x0c   4. \t Reiterate the need for all NMAH users to comply with the Institution\'s computer\n        password policy.\n\n   5. \t Develop a plan to begin addressing identified security weaknesses for its major\n       systems.\n\nManagement Comments\n\nNMAH management concurred with all of our recommendations. NMAH staff plans to\nupgrade its operating systems to the Office of the Chief Information Officer baseline\nduring FY 2004. By June 30,2004, NMAH plans on completing and removing\nunnecessary system accounts. NMAH plans to acquire tools and train staff to perform\nperiodic network scans. NMAH plans to issue a semiannual email notification to all\nNMAH staff regarding strong password compliance. NMAH staff will develop a plan of\naction and milestone report for the Collection Information System.\n\nOffice of the Inspector General Response\n\nWe believe that the Director\'s planned actions, if implemented, are responsive to the\nrecommendations.\n\nRecommendation\n\nWe recommended that the Chief Information Officer establish policies and minimum\ntechnical configuration guidance for server operating systems, web server applications,\nand databases.\n\nManagement Comments\n\nThe Chief Information Officer concurred with our recommendation. The Chief\nInformation Officer stated that he has developed and issued configuration standards and\nguidance for Windows 2000 servers. At the time of the audit, no other Windows\noperating system complied with the Smithsonian\'s Technical Reference Model. The\nInstitution does not currently have specific configuration guidelines for web servers using\nApache or for database servers but plans on completing configuration guidelines by the\nend of fiscal year 2004.\n\nOffice of the Inspector General Response\n\nWe believe the Chief Information Officer\'s planned actions, if implemented, are\nresponsive to the recommendations.\n\x0cAppendix A. Policies and Industry Standards\n\nWe evaluated NMAH systems security during November 14,2003, through May 7,2004.\nWe used Smithsonian Directives as well as industry guidance and standards from the\nNIST, General Accounting Office, National Security Agency, and Microsoft Corporation.\nThe evaluation included a review of server operating system configurations, web server\napplication configurations, databases, user accounts, network ports, and vulnerable\nservices.\n\nSmithsonian Directive 115, Management Controls, revised July 23,1996, lists standards\nthat apply to all Institution units. The directive requires managers to take systematic and\nproactive steps to develop and implement appropriate, cost-effective management\ncontrols. These controls should provide reasonable assurance that assets are safeguarded\nagainst waste, loss, unauthorized use, and misappropriation.\n\nSmithsonian Directive 931, Use of Computers Q Networks, August 5,2002, provides\nInstitution policy on computer safeguards to protect Smithsonian equipment and data.\nUsers are required to use safeguards that include having a password with at least eight\nalphabetic numeric, and special characters. Passwords must not be found in a dictionary,\neasily guessed, or left in writing in the user\'s office. Also, passwords should be changed\nevery 90 days and not reused.\n\nNational Security Agency, Guide to the Secure Configuration and Administration of\nOracle9i Database Sewer, September 30,2003, Version 1.2, describes how to securely\nconfigure and administer the Oracle9i Enterprise Edition Database Server. This guide\nmust be supplemented with The Center for Internet Security\'s Oracle Database Security\nBenchmark v1.O.\n\nThe Center for Internet Security, Oracle Database Security Benchmark vl.1 provides high-\nlevel recommendations to secure an Oracle database with a baseline configuration to\nprotect the system from the common "out of the box" vulnerabilities. The security of the\nOracle database is a function of the security of the network and operating system that\nhosts the database. The guidance recommends that all relevant security patches be\ninstalled.\n\nGeneral Accounting Office, Financial Information Systems Control Audit Manual, January\n1999, provides guidance in evaluating computer-related controls. The guidance describes\naccess controls to provide reasonable assurance that computer resources are protected\nagainst unauthorized modifications, disclosure, loss, or impairment. Such controls\ninclude physical controls, such as locking computer rooms to limit access. Inadequate\naccess controls diminish the reliability of computerized data and increase the risk of\ndestruction or inappropriate disclosure of data.\n\nNational Security Agency, Research Study by Trusted Systems Services, Windows NT\nSecurity Guidelines Considerations Q Guidelinesfor Securely Configuring Windows NT in\nMultiple Environments, 1999, provides guidelines for countering known attacks on\nWindows NT installations that expose or modify user data maliciously. The goal is to\nmake Windows NT as secure as reasonably and practically possible. Implicit in the\n\x0cAppendix A. Policies and Industry Standards (Continued)\n\nguidelines is the understanding that recommendations must be both effective against\ncertain threats and also practical. A balance is necessary between security and operations\nbecause some controls impede operational capability.\n\nNational Security Agency, Guide to SecuringMicrosoft Windows 2000 File and Disk\nResources, April 19,2001, recommends that the new technology file system be used in\norder to achieve the highest level of security. Under Windows 2000, only new technology\nfile system supports discretionary access control to the directories and files. New\ntechnology file system volumes provide secure and auditable access to the files.\nTherefore, any file allocation table partitions should be converted to new technology file\nsystem.\n\nNational Security Agency, Guide to SecuringMicrosoft Windows NT Networks, 200 1,\nidentifies a variety of available Windows NT 4.0 security mechanisms and describes\nmeasures for their implementation. The guide provides a solid security foundation for\nany Windows NT 4.0 network by offering step-by-step instructions on how to utilize the\noperating system\'s built-in security features.\n\nNIST Special Publication 800- 18, Guidefor Developing Security Plans for Information\nTechnology Systems, December 1998, states that the objective of system security planning\nis to improve the protection of information technology resources. All federal systems\nhave some level of sensitivity and require protection as part of good management\npractice. According to NIST, system security plans should document the protection of\nthe system. Additionally, the completion of system security plans is a requirement of the\nOffice of Management and Budget Circular A- 130, Management of Federal Information\nResources, Appendix 111, Security of Federal Automated Information Resources, and Public\nLaw 100-235, Computer Security Act of 1987. The purpose of the security plan is to\nprovide an overview of the security requirements of the system and describe the controls\nin place for meeting those requirements. The system security plan also delineates the\nresponsibilities and expected behavior of all individuals who access the system.\n\nNIST Guidelines on Securing Public Web Sewers, Special Publication 800-44, September\n2002, provides guidelines on securing both Apache and Internet Information Services web\nserver applications. The guidelines include installing permanent fixes (often called\npatches, hot fixes, service packs, or updates) and removing or disabling unnecessary\nservices and applications. Ideally, a Web server should be on a dedicated, single-purpose\nhost. Many operating systems are configured by default to provide a wider range of\nservices and applications than required by a Web server; therefore, a Web administrator\nshould configure the operating system to remove or disable unneeded services. Some\ncommon examples of services that should usually be disabled would include: Windows\nnetwork basic inputloutput system (NetBIOS), if not required, file transfer protocol;\ntelnet; simple management transfer protocol; and software development tools.\n\nMicrosoft White Paper, Securing Windows NT Installation, 1997, states that the default,\nout-of-the-box NT configuration is unsecured, and discusses various security issues with\nrespect to configuring all Windows NT operating system products.\n\x0cAppendix B. Glossary\n\nApplication. A complete, self-contained program that performs a specific function\ndirectly for the user. This is in contrast to system software such as the operating system\nwhich exists to support application programs.\n\nDirectory. A computer system used to organize files on the basis of specific information.\n\nHot Fixes. Hot fixes and security patches are intended for enterprise implementations\nand provide an extra level of security for mission-critical software systems. Specifically\nsecurity patches eliminate vulnerabilities by mitigating recognized exploits.\n\nNetBIOS. NetBIOS is part of the Windows networking technology that facilitates the\nsharing of files and computer resources across a network.\n\nOperating System. The software which handles the interface to hardware, schedules\ntasks, allocates storage, and presents a default interface to the user when no application\nprogram is running.\n\nSecurity Hole. A security hole is a security weakness that permits a computer intruder to\nget access to files or walk through the file system. A security warning is a weakness that\ncan be exploited in conjunction with vulnerability.\n\nServer. A computer which provides some service for other computers connected to it via\na network. For example, a file server is a computer and storage device dedicated to\nstoring files and sharing those files over a network. A print server is a computer that\nmanages one or more printers, and a network server is a computer that manages network\ntraffic. A database server is a computer system that processes database queries.\n\nSimple Network Management Protocol. Simple Network Management Protocol\n(SNMP) is the protocol governing network management and the monitoring of network\ndevices and their functions.\n\nSystem Administrator. An individual responsible for maintaining a computer system,\nincluding a local-area network. Typical duties include: adding and configuring new\nworkstations, setting up user accounts, installing system-wide software, and performing\nprocedures to prevent the spread of viruses.\n\nProtocol. When data is being transmitted between two or more devices something needs\nto govern the controls that keep this data intact. A formal description of message formats\nand the rules two computers must follow to exchange those messages. Protocols can\ndescribe low-level details of machine-to-machine interfaces or high-level exchanges\nbetween application programs.\n\nWeb server. A server application running on a computer which sends out web pages in\nresponse to requests from remote network or Internet users.\n\x0cAppendix C. Management Comments\n\n\n\n\n       Date May 21, 20M\n         To Tholnas D. Biair, Inspector General\n\n       From Brent (;(miss, Director National Museum of Amcricm IIistmy\n\n         Cc Sheila Burke, C 0 0\n            Dennis Shaw,CIO\n            William IIoyt*IG\n            Dennis Dckinson, N       MH\n\nI     Subjwt NSAH Information Systems Crmtmlr Audit\n\n              This IT systems controis ndn expands our knowledge of the extent to which our systems\n                                                                                                            I\n              and ele~mmicdata at at risk. \'VIkl e d a great deal bxcltn rhe FY2W3 rivk assesmcnr\n              of otrr Colkctians Information System (CIS]. The FY2e04 remediationtasks estahiished\n              by that assessment art to begin short@and WjU address some dthe mues raised in yotie\n              report. Hans to rebuikl ~ r v r r isn o i l r datacentex after OClO cc~wlidatiu:~\n                                                                                             will resolve\n              otlrers.\n\n              As nnen~onedhyour ~umm\'ixy,NMAH F1\' srati began addressing mnte of the\n              vulnerabilit~esas souti as t h y were discwered. But it will take time to cxantinc h e .\n              contents 6311 reparrs that were delivered; we need m idenrifv which weakr~essesare\n              urgefit, which are "f.alse-pmicive",arxl whether the remedy d any wiU ncgativeiy hipact\n              the operation tafcrit;icoIsystems or appiicicneior~.\n\n              At tkk titne, we & the facts ~             [he~repOSt\n                                                 R X Y1x1P     ~    and    tespratd to each\n              reeort~merdatio~ as Paliorvs:\n\n                 Perform prriodie reviews of s e n e security caniiguratians to ensure patches and\n                 hot fixes BE up.fa-d;tte far opat"mgryetern, web sentea apphcations, and\n                  databases.\n                  + S m e r security aperatingsystem ad antivirus codlgurations an: periodicaUy\n                     assessed, The &dl  2664 Sajasser wwnn attack .urn@thwarrcd by c~perating,    system\n                    upla~xsapplied to 1 1olrr Windows serveps in March 2834.\n                  3 Our preference is to inlpletncnc ~ f t w a r etcxh t(t auttrmatually mnaktain system\n                    and security cdtguntiom, Many nf the r ~ m l repiaced   y       desklop YCs re~eivc\n                    system patches frwn the 6 e I O SUS server, Our plan is fur all NMAEI systems to\n\x0cAppendix C. Management Comments (continued)\n\n\n\n\n                    !X   wrtfigured this way m the tairure.\n                P ?JMAIIplat%to up&rde the operatingbystem of,fs$vetal servers identified in the\n                    t~qmrtto WlC3 baselines ducing FY20e4.\n\n            r   Establish a process to ensure unnecessary amounts are nmoved expeditiously\n                frinn system temurres\n                i Work hns iptgun to remove or &sable unneccbsdry sgnyeropraring system und\n                    dacabaclc a ~ c o u n ~ .\n                "r Iheexisringprocesswill be reviewed arid up9ated to confornt to SI guiddikles by\n                    June330, 2034.\n\n            a   Perfom regular scans of XMAW networks to iefentify and close ~ ~ ~ e c c u s poxts ary\n                and setvices\n                k N\'MM will need to acquire to& atld trairt/hire technical staff tu conduet rhis\n                   rnsk on a quarterly hasis,\n                2 Guidance IS needed ftotlt the OClO S E L G ~ I o&ce\n                                                                 F ~ ~ ~ un what ports and services arc\n                   deem& umecewaty. \'%is must be cms-checkedagalrrst the NMAH portfdio of\n                   appiicad@mto d e ~ r m i mif thtre are k m l confiicts.\n\n                Reiteratethe 4for all NMAH users to comply with the I n s t i ~ d mrmpuw\n                passwad policy\n                &   NMAH will Lwue h.annunl "sttong password" e-mail corr~pliancenotificafionsto\n                   3taff.\n                r* Every KMAH tisea is required to comply with the fastitution\'s pa~wordand\n                   cmnpurer/nenvork usage pol~cks.The p;lsswordpiicy is s~ificaltyrefcrencd in\n                   Part 8 of rhe SKMAH NeWork~AppkcarrenU e r Account applicnuon rhar must\n                   be signed to obtain a i~eewopMe-WVdaab~\n                                                         account.\n                ir Amluai "ComputetSecurity Awarewss"minu?gcomplh~ccis inonitsred\n                9 90 day password aging i s imple~elxed\n\n            * Develop a plan to begin addrewing identified security weaknwes for it$ major\n                systems.\n                k NMAH will Jevebp a POAM hy August 30,2004 to hegin addressing\n                  weaknessi~no^ identified irk tlu CIS POA&M.\n\x0cAppendix C. Management Comments (continued)\n\n\n\n\n                 Smithsonian Institution \t                                                                Memo\n\n                 Office oftheChief I n f ~ m a t i ~Officer\n                                                     h\n\n\n\n\n          To; \t Thomas D. Blair \n\n                Inspeclor General \n\n\n           cc:   Sheila Rutke\n                            &\n        From:              aw\n\n\n        Subjer t: Response to the IG\'s Draft Report on NM AH l~~fortnation\n                                                                         Systcrn Controls\n\n                 Thank you for tlv oppc~rtunityta conlnlent an the draft auda report on the NMAH infarmation\n                 Sybtem~Controls &view. We agree with the report rmmmendariorrs. However, we disagree\n                 with the underlying causesof the weakness identified in tAr draft iG report. We believe that the\n                 weakrlesscs have more totto with compliaoce with existing policies, pcedurcs, and ~tandards.\n                 Specific comments arc atta&crB,\n\n                 Please call me on 202-633-2800 or Bruce Daniefsan 202-633-W8 if p u have my questions\n\n\n\n\n                 Attachment\n\x0cAppendix C. Management Comments (continued)\n\n\n\n\n                                                                                                   Attachment\n\n                   Response to Ilraft Audit Report o n NMAH Information System Controls\n\n           Llraft Report: "We belleve NMAH system securityweakriesses dre due to the lack of Institution\n\n           (stafrand budgetary) ~~ecessary\n                                                                   -\n           snecific technical baseline sonfizuration standards and guidance, as well as to thc lack of resources\n                                             to support the Museum tech~~ology  needs. The Institution has not\n           issued policies or minimum technical configuration guidance for servers anti databases for most\n           versions of Windows operating systenu, web sencr applicationsgnd databases."\n\n           OCIO Comment: The OClO has developed and issued configuration standards and guidance for\n           kVindows 2000 servers. At the time of this audit, no other Windows operat~rlgsystem c o m ~ h e d\n           with the Sinithsonian\'s Technical Reference Model (TRM).The configuration guidelines specified\n           configuration standards for W~ndows2000 servers and for wveb servers deployed using Microsoft\n           [IS. SI does not currently have specific configuration guidelines for web servers using Apache or\n           for ddtabase servers. Numerous other guidelines are in place that had they been followed, rvould\n           have prevented inany of the weaknesses addressed in the Audit. The Il\'Security Controls manual\n           ident~fiesa number of controls to he implanented. Among these are Audrting and Loggig\n           Procedures (1\'1\'930-\'I\'N02); Ilisabling and Deleting dormant Accounts (111930-\'TN04j;\n           Implementing vendor Software PatcheslFixes (r1\'-930-\'rN08); Min~rn~zing     Acccss to Production\n           Software and Data (IT-930-TN10);and Password Policy CornpUance \'L\'estingOT-930-TN12).\n\n           Draft Kcport: "In addttioo, w~thinthe last two years WlAH iufonnat~ontechnology\n           administrat~vestaff was reduced and reassigned to the Office ofthe Chief Infor~nationOificer.\n           \'The staff poation was not replaced, and according to NfAH information technology staff, the\n           responsibilit~esfor t h ~ posltlon\n                                     s        are still needed to maintain NVlA11 systems up to date and\n           coufigurcd correctly."\n\n           OCIO Comment: The draft report leaves the impression that theone individual, FSk,and funds\n           for the position were redssigned from NMAH to OCIO, This is not the case. The W A I I\n           enlployee filled a vacancy within the OCIO Mtwork Management Division. NMAH management\n           chose to redirect the FTEand funds to resolve other priority needs\n\n           Drdft Report: "Also, some of rllesystem weaknesses were known and have not been addressed due\n           to budgetary constraints. For example, a security re~nedidtionplan fur the WfAH Collection\n           Management Syste~llserver is syecific.diy part ofthe annual security budget request ro the Oftice of\n           Managelllent and Budget. The remediation plan outlines the system weakne,ses a11d\n           recon~rnendtldrolutions."\n\n           OCIO Comment: NMAH did not ask for an increase in the FY 2006 budget request to address IT\n           sccurity for its Collection Illformation System or I\'l\' operations. Progress toward eliminating\n           security weaknesses is reported to OMR through the quarterly and annual reporting requiretl by\n           the Federal Information Security Management Act (FISMA) and is not partof the t>MD budger\n           submission. Many ofthe weaknesses identified in the audit report were previously identifiedrn the\n           NMAH CIS security remediation plan (POABtM) a ~ l dshould have already been corrected. Many\n           of the most significant sccurity CLYCS can easily be undertaken and will not require significant\n           budgetary allotments.\n\x0cAppendix C. Management Comments (continued)\n\n\n      0\t        Smithsonian\n                Office o f the ChidInfomasjon Qficer\n                                                                                                           Memo\n\n                Computu !k&ysaff\n\n\n         Date   lune7,30Q4\n\n\n\n\n       S#et     IT c o n e m a documents\n\n                OCIO adcnowltdp tbt Big~IAuace6farnGprutian guidebics. We me eunmtlyln theprocessof\n                comykhg a sexies oFwnfiguwtiDn guiddinrs for 81 mrietYBf L ~ C N ~and\n                                                                                   ~(Laperating sa~tms,We bave\n                cunurtly compkted con&~ion guidelinesf~ Win-          2003 m e t , as well Wiidavs 2000 rrvcrs end\n                11s. We e p a ro m p k mnfiguratian@idi?her     for\n                                                                 u UNXX; SQL %mar; Osach ~ww;       md Apache\n                w  f\n                   m  by the a& aPt i i year 2W.\n\n\n\n\n                .wmmxfAe4~     m m C l N\n                Naturat HismryBulttling &om Wr3\n                ltnh SaLt\xe2\x82\xaca?~d ~ m I i m r h nAmuc VW\n                Wwhhgpon w low-8lU\n                la 357 ?%$Telephone\n                ta2 337 4lJS F a\n\x0c'